Part 2: Cloud Service Security
In my previous post on modern data warehouse security, we looked at issues related to database security. This post will focus on the separate, but related issue of cloud service security, which is increasingly important since nearly half of all data warehouses are hosted in the cloud. The economics of the cloud, the agility with which you can build out and modify services, and the potential to scale almost infinitely continue to accelerate the adoption of cloud data warehouses.
As I did in my database security post, I’ll run through some of the key questions you should ask when evaluating cloud service security. As noted before: you really do need to look at both data warehouse security and cloud service security, as without both you are left with security vulnerabilities you do not need. Answers detailed below and summarized in the Cloud Service Diagram on the right include key cloud service security features offered by our hybrid cloud data warehouse service, Actian Avalanche, that strengthen security, governance and privacy.
How can I ensure that my data warehouse is isolated from threats?
Since the cloud data warehouse is under constant attack from threats that are often difficult to detect, a data warehouse should provide a variety of isolation and access control techniques to keep it secure from bad actors. These include:
- Limiting data warehouse access to specific IP ranges with an “IP Allow” list using Classless Inter-Domain Routing (CIDR). CIDR is a set of Internet protocol standards used to create unique identifiers for networks and individual devices.
- Having only a single tenant for your data warehouse (more on this in a minute).
- Using the cloud service’s virtual private cloud (VPC) to isolate a private network.
- Restricting administrative access to metadata and provisioning, management, and monitoring information with platform access control.
How can I ensure that other cloud service customers can’t access my data warehouse?
Make sure your data warehouse provider has configured your data warehouse as a single-tenant solution. In a single-tenancy architecture, dedicated infrastructure supports a single instance of a software application that is used by just one customer. Since nothing is shared with other tenants, there is less opportunity for other tenants to access the data in your data warehouse.
Are my cryptographic keys safe?
Leading cloud service providers offer secure and robust key management services (KMSs) that use a hardware security module (HSM)—a hardened, tamper-resistant device—to manage, process and store cryptographic keys. HSMs ensure the safety of keys through strong access control systems. A cloud-ready data warehouse should be able to, at a minimum, leverage the KMS of its underlying cloud provider to encrypt and decrypt data.
How can I ensure secure data sharing with customers, affiliates, and trusted partners?
Nowadays, organizations are extending data warehouse access to their customers, affiliates, and trusted partners to collaborate on opportunities to drive revenue, cut costs and increase efficiency. Data warehouse support for a federated single sign-on (SSO) service provides a highly secure, low-maintenance way to share data with trusted external organizations. Each external organization maintains and manages its own identities and links these through a third-party enterprise identity provider (IdP) that centralizes management and governance of permissions and authentication.
How can I make sure my users’ communication with the data warehouse is private and secure?
By encrypting messages at both ends of a conversation, end-to-end encryption (E2EE) prevents anyone in the middle from reading private communications. Data warehouse support for E2EE is vital to help stop man-in-the-middle (MiTM) attacks that interrupt a data transfer.
Am I protected against unauthorized access?
All technology service or SaaS companies that store customer data in the cloud should perform an audit using the System and Organization Controls 2 (SOC 2) framework, which will validate whether their organizational controls and practices effectively safeguard the privacy and security of customer and client data. The American Institute of Certified Public Accountants (AICPA) developed the SOC 2 framework which focuses on security controls related to availability, privacy, processing integrity, and confidentiality. Successful completion of a SOC 2 audit shows that the data warehouse can keep sensitive organizational and client data secure.
That’s a wrap on modern data warehouse security at the cloud service level. If you haven’t already done so, check out my blog on Securing data within the data warehouse is just as important as securing the cloud services supporting the cloud data warehouse. Naturally, you should also check out the Actian™ hybrid-cloud data warehouse, which offers all the key security features enumerated above to provide you with a highly secure and extraordinarily powerful cloud data warehouse platform.
Finally, for other tips on data modernization, watch Actian’s on-demand webcast where you’ll hear from Jim Curtis, 451 Group’s resident expert on Data Modernization, as well as Actian’s Raghu Chakravarthi and Paul Wolmering. Raghu is Actian’s SVP of R&D, who formerly ran Teradata’s Big Data Group, and Paul is Actian’s VP of Solution Engineering, who previously led field engineering teams at Netezza.